[Wireshark-bugs] [Bug 16695] New: [oss-fuzz] #24099 Stack-buffer-overflow in dissect_xcsl_tcp_heur

Tue, 14 Jul 2020 05:39:17 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16695

            Bug ID: 16695
           Summary: [oss-fuzz] #24099 Stack-buffer-overflow in
                    dissect_xcsl_tcp_heur
           Product: Wireshark
           Version: Git
          Hardware: x86
                OS: Linux
            Status: UNCONFIRMED
          Severity: Major
          Priority: Low
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: lom...@gmail.com
  Target Milestone: ---

Build Information:
TShark (Wireshark) 3.3.0 (v3.3.0rc0-1624-g45e9da9b6710)

Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.56.4, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with
Lua
5.2.4, with GnuTLS 3.5.18 and PKCS #11 support, with Gcrypt 1.8.1, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.30.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.4.

Running on Linux 5.3.0-61-generic, with Intel(R) Core(TM) i7-4800MQ CPU @
2.70GHz (with SSE4.2), with 15918 MB of physical memory, with locale
LC_CTYPE=en_US.UTF-8, LC_NUMERIC=it_IT.UTF-8, LC_TIME=it_IT.UTF-8,
LC_COLLATE=en_US.UTF-8, LC_MONETARY=it_IT.UTF-8, LC_MESSAGES=en_US.UTF-8,
LC_PAPER=it_IT.UTF-8, LC_NAME=it_IT.UTF-8, LC_ADDRESS=it_IT.UTF-8,
LC_TELEPHONE=it_IT.UTF-8, LC_MEASUREMENT=it_IT.UTF-8,
LC_IDENTIFICATION=it_IT.UTF-8, with libpcap version 1.8.1, with GnuTLS 3.5.18,
with Gcrypt 1.8.1, with brotli 1.0.4, with zlib 1.2.11, binary plugins
supported
(0 loaded).

Built using clang Clang 10.0.0.

--
A new bug has been found by oss-fuzz.

    #0 0x1d4a09c in get_next_item
/src/wireshark/epan/dissectors/packet-xcsl.c:122:14
    #1 0x1d4a09c in dissect_xcsl_tcp
/src/wireshark/epan/dissectors/packet-xcsl.c:169:15
    #2 0x1d4a09c in dissect_xcsl_tcp_heur
/src/wireshark/epan/dissectors/packet-xcsl.c:296:13
    #3 0x6422b1 in dissector_try_heuristic /src/wireshark/epan/packet.c:2816:9
    #4 0x1a47ec5 in decode_tcp_ports
/src/wireshark/epan/dissectors/packet-tcp.c:5910:13
    #5 0x1a4ceee in process_tcp_payload
/src/wireshark/epan/dissectors/packet-tcp.c:5965:13
    #6 0x1a48dc0 in dissect_tcp_payload
/src/wireshark/epan/dissectors/packet-tcp.c:6047:9
    #7 0x1a573c2 in dissect_tcp /src/wireshark/epan/dissectors/packet-tcp.c:0
    #8 0x63c060 in call_dissector_through_handle
/src/wireshark/epan/packet.c:712:9
    #9 0x63c060 in call_dissector_work /src/wireshark/epan/packet.c:805:9
    #10 0x63bb8d in dissector_try_uint_new /src/wireshark/epan/packet.c:1405:8
    #11 0x11ada87 in ip_try_dissect
/src/wireshark/epan/dissectors/packet-ip.c:1827:7
    #12 0x11b16bc in dissect_ip_v4
/src/wireshark/epan/dissectors/packet-ip.c:2311:10
    #13 0x63c060 in call_dissector_through_handle
/src/wireshark/epan/packet.c:712:9
    #14 0x63c060 in call_dissector_work /src/wireshark/epan/packet.c:805:9
    #15 0x645311 in call_dissector_only /src/wireshark/epan/packet.c:3222:8
    #16 0x645311 in call_all_postdissectors /src/wireshark/epan/packet.c:3597:3
    #17 0xf296c9 in dissect_frame
/src/wireshark/epan/dissectors/packet-frame.c:870:5
    #18 0x63c060 in call_dissector_through_handle
/src/wireshark/epan/packet.c:712:9
    #19 0x63c060 in call_dissector_work /src/wireshark/epan/packet.c:805:9
    #20 0x638a0b in call_dissector_only /src/wireshark/epan/packet.c:3222:8
    #21 0x638a0b in call_dissector_with_data
/src/wireshark/epan/packet.c:3235:8
    #22 0x6381a0 in dissect_record /src/wireshark/epan/packet.c:586:3
    #23 0x62be37 in epan_dissect_run /src/wireshark/epan/epan.c:585:2
    #24 0x4cdba9 in LLVMFuzzerTestOneInput
/src/wireshark/fuzz/fuzzshark.c:381:2
    #25 0x27f336e in ExecuteFilesOnyByOne
/src/libfuzzer/afl/afl_driver.cpp:217:5
    #26 0x27f336e in main /src/libfuzzer/afl/afl_driver.cpp:254:12
    #27 0x7f5022d4082f in __libc_start_main
/build/glibc-LK5gWL/glibc-2.23/csu/libc-start.c:291
    #28 0x4207a8 in _start

It's a stack buffer overflow

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to